The Aarogya Setu app reportedly had a flaw in its source code, which could have allowed any user with malicious intent to track down the near-exact locations of everyone that have so far tested positive or symptomatic for Covid-19. In a series of tweets and a blog post, French ethical hacker Robert Baptiste, who goes under the alias of Elliot Alderson (@fs0c131y on Twitter), claimed that the Aarogya Setu app presently allows anyone with intent to access the app's internal files, and also use certain techniques to find the location of every user of the app, along with reading their health status.
Baptiste, on his post, further states that many of the flaws that he has been incrementally reporting about the app are being patched. He has further called for opening up the source code of the Aarogya Setu application, which would allow independent parties to vet the app's source code for security and privacy flaws, and make it a stronger application.
The Aarogya Setu app has also come under scrutiny from various parties by virtue of its privacy policy. Security researchers have found one particular clause in the app that limits the liability of the Indian government in case of unintended and unauthorised access to sensitive user data. While such clauses are often included in a variety of services, the issue is more serious in this case since the app here is of national significance, and has sensitive data to the tune of the health status of Indian citizens, identified by location.
With the application being further made mandatory as per norms of the latest lockdown rules, many bodies and organisations, headed by the Internet Freedom Foundation of India, has written to the government urging them to revise the decision. They have also called for a revision of how the Aarogya Setu app works, suggesting decentralised techniques as a solution that can enable contact tracing without raising the possible risk of unauthorised surveillance.
In response, a statement by an Aarogya Setu spokesperson said, "No personal information of any user has been proven to be at risk by this ethical hacker. We are continuously testing and upgrading our systems. Team Aarogya Setu assures everyone that no data or security breach has been identified. We encourage any users who identify a vulnerability to inform us immediately."
Comments
0 comment